CVE Vulnerability

CVE-2008-6512

Cross-domain vulnerability in the WorkerPool API in Google Gears before 0.5.4.2 allows remote attackers to bypass the Same Origin Policy and the intended access restrictions of the allowCrossOrigin function by hosting an assumed-safe file type containing Google Gear commands on the target domain, then accessing that file from the attacking domain, whose response headers are not checked and cause the worker code to run in the target domain.

6.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

References
Link Resource
http://www.securityfocus.com/bid/32698
http://lists.grok.org.uk/pipermail/full-disclosure/2008-December/066291.html
http://code.google.com/apis/gears/upcoming/api_workerpool.html#cross_origin Vendor Advisory
http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html Exploit
http://secunia.com/advisories/33062 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/47173
Configurations

Configuration 1

cpe:2.3:a:google:gears:0.2:*:*:*:*:*:*:*
cpe:2.3:a:google:gears:0.3:*:*:*:*:*:*:*
cpe:2.3:a:google:gears:*:*:*:*:*:*:*:*
cpe:2.3:a:google:gears:0.4:*:*:*:*:*:*:*
cpe:2.3:a:google:gears:0.1:*:*:*:*:*:*:*
Information

Published : 2009-03-24 02:30

Updated : 2017-08-17 01:29

NVD link : CVE-2008-6512

Mitre link : CVE-2008-6512

Products Affected
No products.
CWE
NVD-CWE-Other